Bug 1374733 (CVE-2016-7551) - CVE-2016-7551 asterisk: RTP Resource Exhaustion
Summary: CVE-2016-7551 asterisk: RTP Resource Exhaustion
Alias: CVE-2016-7551
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1374734 1374735
TreeView+ depends on / blocked
Reported: 2016-09-09 13:36 UTC by Martin Prpič
Modified: 2021-02-17 03:21 UTC (History)
5 users (show)

Fixed In Version: asterisk 11.23.1, asterisk 13.11.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-07-12 13:04:21 UTC

Attachments (Terms of Use)

Description Martin Prpič 2016-09-09 13:36:29 UTC
The following flaw was found in Asterisk:

The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up.

Upstream bug:


External References:


Comment 1 Martin Prpič 2016-09-09 13:37:02 UTC
Created asterisk tracking bugs for this issue:

Affects: fedora-all [bug 1374734]
Affects: epel-6 [bug 1374735]

Comment 2 Andrej Nemec 2016-09-26 08:14:18 UTC


Comment 3 Adam Mariš 2016-10-26 07:16:23 UTC
UPDATE (20 October, 2016):

It has been brought to our attention by Walter Doekes that this same leak can be exploited without the use of the overlap dialing feature. Sending SIP requests in a specific sequence outside the norm could also cause the leak of RTP resources. By sending an in-dialog INVITE after receiving a 404 response (but before sending an ACK), an attacker could cause the same leak to occur.

Comment 4 Jared Smith 2016-10-26 16:49:03 UTC
I'm working with the Digium developers to get systemd support added to dahdi-tools, so that we can unretire dahdi-tools, which is a dependency of Asterisk.  That will allow me to update the Asterisk packages in Fedora/EPEL to the latest version which will close this vulnerability.

Comment 5 Product Security DevOps Team 2019-07-12 13:04:21 UTC

Note You need to log in before you can comment on or make changes to this bug.